This is an update for our prior diary ( http://isc.sans.org/diary.html?date=2003-11-25 ) .
We observed strong fluctuations in this traffic, indicating a central control mechanism. Based on feedback from sources of this traffic, we suspect that the
traffic may be related to a popup-spam blocking application. Several users reported seeing the udp traffic to port 1026-1031 after installing this software.
In our own testing, this software has not yet exhibited this behaviour.
This particular popup spam blocker is advertised via popup spam. So it would make sense for the application to use hosts on which it is installed to 'spread the message'.
Dec 2nd 2003
1 decade ago